Security assembly particularly for electrosensitive protection equipment

ABSTRACT

An assembly comprising two micro-controllers (MC 1 , MC 2 ) separately receiving specific and synchronous information (input states) in order to process it and supply respective outputs (S 1 , S 2 ) and which are connected through links (C 1 , C 2 ) to make the running of the programs consistent, and a comparator (K) receiving the outputs (S 1 , S 2 ) from the micro-controllers (MC 1 , MC 2 ) in order to transmit a signal in the event of nonconformity. 
     A re-writable memory is respectively associated with each micro-controller (MC 1 , MC 2 ). An interface common to the two micro-controllers (MC 1 , MC 2 ) is connected to them through a common micro-controller MC 3  in order to write the parameterization data for the functions of the two mic-o-controllers (MC 1 , MC 2 ) by means of the common micro-controller (MC 3 ).

This invention relates to a security assembly notably for electrosensitive protection equipment, comprising

two micro-controllers separately receiving specific and synchronous information (input states) in order to process it and supply respective outputs the two micro-controllers being connected through links to make the running of the programs processing the two states of input into the micro-controllers consistent,

a comparator receiving the outputs from the micro-controllers in order to transmit a signal in the event of nonconformity.

Such security assemblies are notably fitted to dangerous machines. They receive information from sensors and process the received signals in order to validate the operation of the installation, to stop it or to prohibit it.

According to the security category into which these security assemblies are classified, the regulations are more or less strict and in the most strict category, any operational incident must be treated as the detection of a person penetrating the area of the machine that is being protected.

For this, known security assemblies such as those mentioned above, have a redundant structure. The pieces of information are processed along two paths in a synchronous manner, and the two paths exchange operating information. Then the outputs are compared in order to verify consistency.

In order to modify the operation of the security assembly, it is necessary to inject a new parameterization onto each of the channels fitted to a micro-processor. This introduction is relatively long and tedious since it is carried out, for example, with the help of switches which limits the possibilities in addition to causing the inconvenience mentioned above.

The purpose of this invention is to remedy these disadvantages and to aim to create a security assembly of the type specified above, that allows one to modify the parameterization of the security assembly in order to adapt it easily to new configurations and to make the assembly applicable to numerous situations indeed to make it polyvalent.

To this effect, the invention relates to such a security assembly, characterized in that it comprises

a re-writable memory linked respectively to each micro-controller

an interface common to the two micro-controllers, connected to them through a common micro-controller in order to enter the parameterization data of the functions of the two micro-controllers by means of the common micro-controller.

The invention thereby allows one to modify the operation of the security assembly in an simple way by the one-time introduction of the parameterization data through the use of the interface. These data are communicated through the micro-processor common to the microprocessors linked to each of the two channels which enter these configuration data into their respective re-writable memories. During this up-date or this operational modification to the security assembly, outputs are prohibited and the assembly functions on reception of parameterization messages.

The bilateral writing with exchange permits assured entry of the message which is doubly written and recognized. Each message is made up of a cyclic redundancy code that permits verification and in the event of nonconformity, the rejection of the code.

At the end of this parameterization the security assembly is once again available to provide the security function by processing the input states and the synchronism of the processing by the direct exchange of data between the two microprocessors for the two parallel processing channels.

In accordance with other advantageous characteristics

a re-writable memory is respectively linked to each micro-controller

an interface common to the two micro-controllers is connected to them through a common micro-controller to enter the parameterization data of the functions of the two micro-controllers by means of the common micro-controller.

This invention will be described below in a more detailed manner with the help of the appended drawings in which

FIG. 1 is a diagram of a known security assembly,

FIG. 2 is a diagram of a security assembly according to the invention,

FIG. 3 shows the configuration phase of the security assembly,

FIG. 4 shows the general algorithm of the security assembly according to the invention.

According to FIG. 1, a known security assembly, intended for the applications mentioned above is made up of two branches B₁, B₂ each having a micro-controller MC₁, MC₂. These two branches receive the respective input states E₁, E₂, supplied by sensors fitted to the installation or the machine being kept secure. The micro-controllers MC₁, MC₂supply the outputs S₁, S₂. The output signal S triggers an operation in the event of nonconformity between the outputs S₁, S₂ in the comparator K. This signal can be an alarm signal or a signal to shut-down the machine or the installation.

In order to modify the configuration of the security assembly, in accordance with the known technique, it is necessary to introduce the parameterization data P separately into each of the micro-controllers MC₁, MC₂. This operation is long, delicate and tedious.

Finally, the synchronization of the processing carried out by each of the micro-controllers MC₁, MC₂ in the branches B₁, B₂ is ensured by synchronization signals C₁, C₂ exchanged directly between the two micro-controllers MC₁, MC₂.

FIG. 2 shows diagrammatically a security assembly according to the invention. This assembly is also made up of two channels B₁₀, V₂₀ each fitted with a micro-controller MC₁, MC₂ exchanging synchronization signals C₁, C₂ with one another in order to synchronize the processing of the input signals (input states) E₁, E₂ which are applied to them.

Each micro-controller MC₁, MC₂ is linked to a respective re-writable memory MM₁, MM₂. In a preferred manner, these memories are of the EPROM type.

The two micro-controllers MC₁, MC₂ are linked to a common micro-controller MC₃ with which each micro-controller MC₁, MC₂ separately exchanges information C₁₃, C₃₁ or C₂₃, C₃₂.

The common micro-controller MC₃ is connected to an interface M, for example, a group of push buttons and a display to receive the parameterization data P. In order to be able to communicate easily with MC₃, a pull-down menu y is integrated with it. It includes the functions that can be parameterized that are non-imitative, access to certain of them being through a confidential access code.

The outputs S₁, S₂ from the micro-controllers MC₁, MC₂ are connected to a comparator K which supplies an output signal S that represents the conformity of the signals S₁, S₂ or their nonconformity.

This security assembly operates in the following way, separately in two situations.

In a first case, MC₃ is active and there is dialogue respectively with the micro-controllers MC₁, MC₂. During this exchange, the outputs S₁, S₂ are made inactive. This dialogue between the common micro-controller MC₃ and the micro-controllers MC₁, MC₂ of each of the channels V₁, V₂ can be expressed as the entering of information into the re-writable memories MM₁, MM₂.

In a second case, the common micro-controller MC₃ does not exchange information with the micro-controllers MC₁, MC₂ which work separately and in synchronism by exchanging data and information C₁, C₂. In this phase MC₁ and MC₂ generate information blindly to MC₃ through channels C₁₃ and C₂₃, MC₃ picking up this information at random. In these exchanges MC₁ and MC₂ are exclusively transmitters and MC₃ is exclusively a receiver.

The parameterization of the functions of the micro-processors MC₁, MC₂ takes place, as indicated above, by the entering of parameterization data P through the interface M and the common micro-processor MC₃.

The operation of the security assembly described above and its parameterization is shown in FIG. 3.

Hence, through interface M, using the push-buttons M₁ or any other input means, a message is entered in the micro-controller MC₃ which sends messages 1, 1′ to micro-controllers MC₁, MC₂. They exchange signals in directions 2, 2′ in order to verify the homogeneity of the procedure. Then, the micro-controllers MC₁, MC₂ each send a message 3, 3′ in order to enter it in the associated re-writable memory MM₁, MM₂. The memories MM₁, MM₂ then send messages 4, 4′ to their respective micro-controllers MC₁, MC₂ which again exchange information 2, 2′ and verify the return message and then send the message received in this way (in the form of words with a control code 5, 5′) to the common micro-controller MC₃. After verification micro-controller MC₃ displays the message on the screen M₂. The message displayed is that entered into the memories MM₁, MM₂.

The operations in FIG. 3 are summarized below:

1 Message transmitted to MC₁ and MC₂ 1′ 2 MC₁ and MC₂ mutually check the existence 2′ of message 2′ 3 Writing into the respective EEPROMs 3′ 4 Verification of the value that has just 4′ been recorded in the EEPROM by MC₁ and MC₂ 5 Return of the message from MC₁ and MC₂ to 5′ MC₃ 6 Display of the memorized message

This bilateral writing with exchange permits sure entry of the message. In effect the message is double entered and recognized. Furthermore, each message 1 and 5 is made up of a code that has a Hamming distance of 4 with respect to the other codes. This is obtained by a cylic redundancy code (word+CRC), that is to say that each code caries within itself its authentication and if this verification does not terminate, the code is rejected.

The flow graph in FIG. 4 shows the operation of security assembly, distinguishing between normal operation (nominal working condition) and configuration the loading of parameters P.

Firstly, through the RESET step E₁₁, E₁₂ corresponding to power up, the program initializes the peripherals and carries out the test of the storage areas (E₂₁, E₂₂) . The configuration in the re-writable memory present at this time (E₄₁, E₄₂) is changed and if the micro-controller MC₃ has not been acted upon by the push buttons M₁ of the interface M to carry out the passage Into phase 2, one passes to the security processing phase (phase 1) and the carrying out of security tasks E_(3l), E₃₂. One only quits this operation by a return to the initial condition RESET generated by the common micro-controller MC₃.

On the other hand, if after the initialization tests E₂₁, E₂₂ and the loading of the existing configuration E₄₁, E₄₂ if the micro-controller MC₃ has been acted upon through the interface M, that is to say the push buttons M₁ in order to effect passage into phase 2, then one passes into phase 2. First of all, the new configuration is transmitted to the micro-controllers MC₁ MC₂ through the common micro-controller MC₃ (step E₅₁, E₅₂). This loading is followed by exchanges E₆₁, E₆₂ then the entering of the new configuration into the re-writable memory, step E₇₁, E₇₂. If necessary, the loop starts again for the new configuration or one quits this loop through a RESET signal sent through micro-controller MC₃.

Hence, in conclusion, the micro-controllers MC₁, MC₂ work in accordance with two operational phases that are distinct in time. They can work either in accordance with a nominal security phase or in accordance with a configuration phase with the entering of parameters. The execution of one or the other of these two phases is independent and the passage from one phase to the other takes place exclusively through the RESET signal. 

What is claimed is:
 1. A security assembly notably for electrosensitive protection equipment, comprising two micro-controllers (MC₁, MC2) separately receiving specific and synchronous information (input states) for processing said synchronous information and supplying respective outputs (S₁, S₂), the two micro-controllers (MC₁ MC₂) being connected through links (C₁, C₂) to make the running of the programs consistent, processing the two input states in the micro-controllers (MC₁, MC₂), and a comparator (K) receiving the outputs (S₁, S₂) from the micro-controllers (MC₁, MC2) for transmitting a signal in the event of nonconformity between the two outputs (S₁, S₂), and wherein said security assembly comprises a re-writable memory respectively associated with each micro-controller (MC₁ MC₂), and an interface (M) common to the two micro-controllers (MC₁, MC2) and connected to the two micro-controllers through a common micro-controller MC3 , for entering parameterization data for the functions of the two micro-controllers (MC₁, MC₂) performed by means of the common micro-controller (MC₃).
 2. A security assembly according to claim 1 wherein the interface is formed by push buttons and a display unit.
 3. A security assembly according to claim 1 wherein the third micro-controller (MC₃) engages in dialogue with the two micro-controllers (MC₁, MC₂) which each enter information into respective memories (MM₁, MM₂) while the outputs (S₁, S₂) from the two micro-controllers (MC₁, MC₂) are inactive.
 4. A security assembly according to claim 1 wherein the micro-controllers (MC₁, MC₂) work in accordance with operational phases that are distinct in time, a nominal security phase a configuration phase, for the entering of the parameters, the execution of these two phases being totally independent and the passage from one phase to the other being made exclusively by the RESET signal. 